











    <!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <meta http-equiv="Content-Language" content="en">
        <meta name="viewport" content="initial-scale=1">
        <meta http-equiv="X-UA-Compatible" content="IE=edge">
        <meta name="referrer" content="never">
        <meta name="robots" content="noindex">
        <title>Acunetix Report</title>
        <style>
/* region Normalize */
/*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */
html {
    font-family: sans-serif;
    -webkit-text-size-adjust: 100%;
    -ms-text-size-adjust: 100%;
}

body {
    margin: 0;
}

article,
aside,
details,
figcaption,
figure,
footer,
header,
hgroup,
main,
menu,
nav,
section,
summary {
    display: block;
}

audio,
canvas,
progress,
video {
    display: inline-block;
    vertical-align: baseline;
}

audio:not([controls]) {
    display: none;
    height: 0;
}

[hidden],
template {
    display: none;
}

a {
    background-color: transparent;
}

a:active,
a:hover {
    outline: 0;
}

abbr[title] {
    border-bottom: 1px dotted;
}

b,
strong {
    font-weight: bold;
}

dfn {
    font-style: italic;
}

h1 {
    margin: .67em 0;
    font-size: 2em;
}

mark {
    color: #000;
    background: #ff0;
}

small {
    font-size: 80%;
}

sub,
sup {
    position: relative;
    font-size: 75%;
    line-height: 0;
    vertical-align: baseline;
}

sup {
    top: -.5em;
}

sub {
    bottom: -.25em;
}

img {
    border: 0;
}

svg:not(:root) {
    overflow: hidden;
}

figure {
    margin: 1em 40px;
}

hr {
    height: 0;
    -webkit-box-sizing: content-box;
    -moz-box-sizing: content-box;
    box-sizing: content-box;
}

pre {
    overflow: auto;
}

code,
kbd,
pre,
samp {
    font-family: monospace, monospace;
    font-size: 1em;
}

button,
input,
optgroup,
select,
textarea {
    margin: 0;
    font: inherit;
    color: inherit;
}

button {
    overflow: visible;
}

button,
select {
    text-transform: none;
}

button,
html input[type="button"],
input[type="reset"],
input[type="submit"] {
    -webkit-appearance: button;
    cursor: pointer;
}

button[disabled],
html input[disabled] {
    cursor: default;
}

button::-moz-focus-inner,
input::-moz-focus-inner {
    padding: 0;
    border: 0;
}

input {
    line-height: normal;
}

input[type="checkbox"],
input[type="radio"] {
    -webkit-box-sizing: border-box;
    -moz-box-sizing: border-box;
    box-sizing: border-box;
    padding: 0;
}

input[type="number"]::-webkit-inner-spin-button,
input[type="number"]::-webkit-outer-spin-button {
    height: auto;
}

input[type="search"] {
    -webkit-box-sizing: content-box;
    -moz-box-sizing: content-box;
    box-sizing: content-box;
    -webkit-appearance: textfield;
}

input[type="search"]::-webkit-search-cancel-button,
input[type="search"]::-webkit-search-decoration {
    -webkit-appearance: none;
}

fieldset {
    padding: .35em .625em .75em;
    margin: 0 2px;
    border: 1px solid #c0c0c0;
}

legend {
    padding: 0;
    border: 0;
}

textarea {
    overflow: auto;
}

optgroup {
    font-weight: bold;
}

table {
    border-spacing: 0;
    border-collapse: collapse;
}

td,
th {
    padding: 0;
}

/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */
@media print {

    * {
      -webkit-print-color-adjust: exact !important;
      print-color-adjust: exact !important;
    }

    *:before,
    *:after {
        color: #000 !important;
        text-shadow: none !important;
        background: transparent !important;
        -webkit-box-shadow: none !important;
        box-shadow: none !important;
    }

    a,
    a:visited {
        text-decoration: underline;
    }

    a[href]:after {
        content: " (" attr(href) ")";
    }

    abbr[title]:after {
        content: " (" attr(title) ")";
    }

    a[href^="#"]:after,
    a[href^="javascript:"]:after {
        content: "";
    }

    pre,
    blockquote {
        border: 1px solid #999;

        page-break-inside: avoid;
    }

    thead {
        display: table-header-group;
    }

    tr,
    img {
        page-break-inside: avoid;
    }

    img {
        max-width: 100% !important;
    }

    p,
    h2,
    h3 {
        orphans: 3;
        widows: 3;
    }

    h2,
    h3 {
        page-break-after: avoid;
    }

    .navbar {
        display: none;
    }

    .btn > .caret,
    .dropup > .btn > .caret {
        border-top-color: #000 !important;
    }

    .label {
        border: 1px solid #000;
    }

    .table {
        border-collapse: collapse !important;
    }

    .table td,
    .table th {
        background-color: #fff !important;
    }

    .table-bordered th,
    .table-bordered td {
        border: 1px solid #ddd !important;
    }
}

/* endregion Normalize */

/* region Report styles */

/* region For testing purposes only */
@media screen {
    html {
        background-color: #808080;
    }

    body {
        background-color: #ffffff;
        width: 210mm;
        margin-left: auto;
        margin-right: auto;
        height: 100%;
        min-height: 100%;
        padding: .98in .98in .79in .98in;
        box-shadow: 2px 2px 2px #222;
        position: relative;
    }
}

/* endregion For testing purposes only */

/* region Global Styles */
body {
    font-family: sans-serif;
    font-size: 13pt;
}

table {
    table-layout: fixed;
    width: 100%;
    border-collapse: collapse;
}

table > tbody > tr > td {
    padding: 4px 8px;
    border: 1px solid #dadada;
    word-wrap: break-word;
}

table > tbody > tr > td:first-child {
    width: 200px;
}

p {
    word-wrap: break-word;
}

.page-break {
    page-break-before: always;
}

.ax-section-title {
    border-bottom: 1px solid #cccccc;
    padding-bottom: 2px;
    margin-bottom: 10px;
}

.ax-section-title--big {
    border-bottom-width: 3px;
    padding-bottom: 3px;
    padding-top: 30px;
}

/* endregion Global Styles */

/* end region Report styles */

/* region Cover page */


.cover {
    width: 210mm;
    height: 297mm;
    }
.cover > img {
    width: 210mm;
    left: 20mm;
    z-index: -1;
    top: 60mm;
    position: absolute;
    }

.logo {
    position: absolute;
    top: 40px;
    left: 40px;
}

.ax-report__title {
    font-size: 62pt;
    font-weight: bold;
    text-align: left;
    top: 100mm;
    left: 40mm;
    width: 170mm;
    position: absolute;
    height: 70mm;
}


.ax-report__title_compliance {
    font-size: 38pt;
    font-weight: bold;
    text-align: center;
    top: 100mm;
    left: 20mm;
    width: 210mm;
    position: absolute;
    height: 70mm;
}

.ax-report__subtitle {
    text-align: left;
    font-size: 21pt;
    top: 180mm;
    left: 40mm;
    width: 210mm;
    position: absolute;
}

.ax-report__footer {
    border-bottom: 1px solid #cccccc;
    padding-bottom: 10px;
    left: 40mm;
    top: 320mm;
    position: absolute;
    width: 70%;
}

.ax-report__subfooter {
    left: 40mm;
    font-size: 8pt;
    top: 330mm;
    position: absolute;
}

.ax-report__title_date {
    text-align: left;
    left: 40mm;
    font-size: 13pt;
    top: 220mm;
    position: absolute;
}

/* endregion Cover page */


/* region Alert title */

.ax-alert-title {
    box-sizing: border-box;
    border-bottom: 2px solid #cccccc;
    padding-bottom: 3px;
    background-color: gray;
    color: white;
}

/* endregion Alert title */


/* region Severity Indicator*/

.ax-severity-icon {
    display: inline-block;
    width: 16px;
    height: 16px;
    vertical-align: baseline;
    border: none;
    background: url('images/severity.png');
    box-sizing: border-box;
    margin-right: 10px;
    position: relative;
    top: 1px;
}
.ax-severity-icon--high   {background-position: 0 0;}
.ax-severity-icon--medium {background-position: 0 -16px;}
.ax-severity-icon--low    {background-position: 0 -32px;}
.ax-severity-icon--info   {background-position: 0 -48px;}


.ax-alerts-distribution__label > img {margin-right: 5px;}
/* endregion Severity Indicator*/


table.ax-alert-info > tbody > tr > td:first-child {
    background-color: #E3E3E3;
}
table.ax-alert-info > tbody > tr > td.ax-alert-info__severity_value {
    font-weight: bold;
}


.ax-affected-item__highlight--dark { background-color: #cccccc; }
.ax-affected-item__highlight--light { background-color: #eeeeee; }

</style>
    </head>












    <body>
        <img class="logo" src=''/>
        <div class="cover">
            <img src="">
            <div class="page-break ax-report__title">
                Developer Report
            </div>

            <div class="ax-report__subtitle">
                Acunetix Security Audit
            </div>

            <div class="ax-report__title_date">
                27 May 2019
            </div>
            <p>
                <div class="ax-report__footer">
                    Generated by Acunetix
                </div>
            </p>
        </div>












    <h2 class="page-break ax-section-title ax-section-title--big">
    
        Scan of www.vbboy.com
    
</h2>

<h3 class="ax-section-title">
    Scan details
</h3>

<table border="1" class="ax-scan-summary">
<tbody>
    <tr class="ax-scan-summary__section-title"><td colspan="2">Scan information</td></tr>
    
    <tr>
        <td class="ax-column-highlight">Start time</td>
        <td>27/05/2019, 03:22:02</td>
    </tr>
    
    
    <tr>
        <td class="ax-column-highlight">Start url</td>
        <td>http://www.vbboy.com</td>
    </tr>
    
    
    <tr>
        <td class="ax-column-highlight">Host</td>
        <td>www.vbboy.com</td>
    </tr>
    
    
    <tr>
        <td class="ax-column-highlight">Scan time</td>
        <td>71 minutes, 48 seconds</td>
    </tr>
    
    
    <tr>
        <td class="ax-column-highlight">Profile</td>
        <td>Full Scan</td>
    </tr>
    
    
    <tr class="ax-scan-summary__section-title">
        <td>Server information</td>
        <td>cloudflare</td>
    </tr>
    
    
    <tr>
        <td class="ax-column-highlight">Responsive</td>
        <td>True</td>
    </tr>
    
    
    
    <tr>
        <td class="ax-column-highlight">Server OS</td>
        <td>Unknown</td>
    </tr>
    
    
    <tr>
        <td class="ax-column-highlight">Server technologies</td>
        <td>
            PHP
        </td>
    </tr>
    
    
    
</tbody>
</table>
<h4 class="ax-section-title">
    Threat level
</h4>

<h4>Acunetix Threat Level 2</h4>

    <p>One or more medium-severity type vulnerabilities have been discovered by the scanner. You should investigate each of these vulnerabilities to ensure they will not escalate to more severe problems.</p>


<h4 class="ax-section-title">
    Alerts distribution
</h4>

<table border="1" class="ax-alerts-distribution">
    <tr>
        <td class="ax-alerts-distribution__label">Total alerts found</td>
        <td>37</td>
    </tr>
    <tr>
        <td class="ax-alerts-distribution__label ax-alerts-distribution__label--high"><img src="">High</td>
        <td>0</td>
    </tr>
    <tr>
        <td class="ax-alerts-distribution__label ax-alerts-distribution__label--medium"><img src="">Medium</td>
        <td>19</td>
    </tr>
    <tr>
        <td class="ax-alerts-distribution__label ax-alerts-distribution__label--low"><img src="">Low</td>
        <td>10</td>
    </tr>
    <tr>
        <td class="ax-alerts-distribution__label ax-alerts-distribution__label--info"><img src="">Informational</td>
        <td>8</td>
    </tr>
</table>












    <h3 class="page-break ax-section-title">
    Alerts summary
</h3>











    <!--alert_summary-->
<h4 class="ax-section-title ax-section-title--no-border">
    
        <img src="">
    
    Application error message
</h4>
<table>
    <tr><td colspan="2" class="ax-alert-summary__title">Classification</td></tr>
    
        <tr><td>CVSS2</td><td>Base Score: 5.0<br>
Access Vector: Network_accessible<br>
Access Complexity: Low<br>
Authentication: None<br>
Confidentiality Impact: Partial<br>
Integrity Impact: None<br>
Availability Impact: None<br>
Exploitability: Not_defined<br>
Remediation Level: Not_defined<br>
Report Confidence: Not_defined<br>
Availability Requirement: Not_defined<br>
Collateral Damage Potential: Not_defined<br>
Confidentiality Requirement: Not_defined<br>
Integrity Requirement: Not_defined<br>
Target Distribution: Not_defined<br>
</td></tr>
    
        <tr><td>CVSS3</td><td>Base Score: 5.3<br>
Attack Vector: Network<br>
Attack Complexity: Low<br>
Privileges Required: None<br>
User Interaction: None<br>
Scope: Unchanged<br>
Confidentiality Impact: Low<br>
Integrity Impact: None<br>
Availability Impact: None<br>
</td></tr>
    
        <tr><td>CWE</td><td>CWE-200</td></tr>
    
</table>
<table width="100%">
    <tr><td width="90%">Affected items</td><td width="10%">Variation</td></tr>
    
        
        <tr>
            <td width="90%"><a href="#link_id_2">Web Server</a></td>
            <td width="10%">1</td>
        </tr>
        
    
        
        <tr>
            <td width="90%"><a href="#link_id_419">/zb_system/cmd.php</a></td>
            <td width="10%">7</td>
        </tr>
        
    
</table>











    <!--alert_summary-->
<h4 class="ax-section-title ax-section-title--no-border">
    
        <img src="">
    
    Error message on page
</h4>
<table>
    <tr><td colspan="2" class="ax-alert-summary__title">Classification</td></tr>
    
        <tr><td>CVSS2</td><td>Base Score: 5.0<br>
Access Vector: Network_accessible<br>
Access Complexity: Low<br>
Authentication: None<br>
Confidentiality Impact: Partial<br>
Integrity Impact: None<br>
Availability Impact: None<br>
Exploitability: Not_defined<br>
Remediation Level: Not_defined<br>
Report Confidence: Not_defined<br>
Availability Requirement: Not_defined<br>
Collateral Damage Potential: Not_defined<br>
Confidentiality Requirement: Not_defined<br>
Integrity Requirement: Not_defined<br>
Target Distribution: Not_defined<br>
</td></tr>
    
        <tr><td>CVSS3</td><td>Base Score: 5.3<br>
Attack Vector: Network<br>
Attack Complexity: Low<br>
Privileges Required: None<br>
User Interaction: None<br>
Scope: Unchanged<br>
Confidentiality Impact: Low<br>
Integrity Impact: None<br>
Availability Impact: None<br>
</td></tr>
    
        <tr><td>CWE</td><td>CWE-200</td></tr>
    
</table>
<table width="100%">
    <tr><td width="90%">Affected items</td><td width="10%">Variation</td></tr>
    
        
        <tr>
            <td width="90%"><a href="#link_id_3106">/zb_system/admin/</a></td>
            <td width="10%">1</td>
        </tr>
        
    
        
        <tr>
            <td width="90%"><a href="#link_id_419">/zb_system/cmd.php</a></td>
            <td width="10%">1</td>
        </tr>
        
    
</table>











    <!--alert_summary-->
<h4 class="ax-section-title ax-section-title--no-border">
    
        <img src="">
    
    HTML form without CSRF protection
</h4>
<table>
    <tr><td colspan="2" class="ax-alert-summary__title">Classification</td></tr>
    
        <tr><td>CVSS2</td><td>Base Score: 2.6<br>
Access Vector: Network_accessible<br>
Access Complexity: High<br>
Authentication: None<br>
Confidentiality Impact: None<br>
Integrity Impact: Partial<br>
Availability Impact: None<br>
Exploitability: Not_defined<br>
Remediation Level: Not_defined<br>
Report Confidence: Not_defined<br>
Availability Requirement: Not_defined<br>
Collateral Damage Potential: Not_defined<br>
Confidentiality Requirement: Not_defined<br>
Integrity Requirement: Not_defined<br>
Target Distribution: Not_defined<br>
</td></tr>
    
        <tr><td>CVSS3</td><td>Base Score: 4.3<br>
Attack Vector: Network<br>
Attack Complexity: Low<br>
Privileges Required: None<br>
User Interaction: Required<br>
Scope: Unchanged<br>
Confidentiality Impact: None<br>
Integrity Impact: Low<br>
Availability Impact: None<br>
</td></tr>
    
        <tr><td>CWE</td><td>CWE-352</td></tr>
    
</table>
<table width="100%">
    <tr><td width="90%">Affected items</td><td width="10%">Variation</td></tr>
    
        
        <tr>
            <td width="90%"><a href="#link_id_2">Web Server</a></td>
            <td width="10%">1</td>
        </tr>
        
    
        
        <tr>
            <td width="90%"><a href="#link_id_2866">/index.php</a></td>
            <td width="10%">1</td>
        </tr>
        
    
        
        <tr>
            <td width="90%"><a href="#link_id_3106">/zb_system/admin/</a></td>
            <td width="10%">1</td>
        </tr>
        
    
        
        <tr>
            <td width="90%"><a href="#link_id_419">/zb_system/cmd.php</a></td>
            <td width="10%">1</td>
        </tr>
        
    
        
        <tr>
            <td width="90%"><a href="#link_id_3094">/zb_system/login.php</a></td>
            <td width="10%">1</td>
        </tr>
        
    
</table>











    <!--alert_summary-->
<h4 class="ax-section-title ax-section-title--no-border">
    
        <img src="">
    
    URL rewrite vulnerability
</h4>
<table>
    <tr><td colspan="2" class="ax-alert-summary__title">Classification</td></tr>
    
        <tr><td>CVSS2</td><td>Base Score: 5.0<br>
Access Vector: Network_accessible<br>
Access Complexity: Low<br>
Authentication: None<br>
Confidentiality Impact: None<br>
Integrity Impact: None<br>
Availability Impact: Partial<br>
Exploitability: Not_defined<br>
Remediation Level: Not_defined<br>
Report Confidence: Not_defined<br>
Availability Requirement: Not_defined<br>
Collateral Damage Potential: Not_defined<br>
Confidentiality Requirement: Not_defined<br>
Integrity Requirement: Not_defined<br>
Target Distribution: Not_defined<br>
</td></tr>
    
        <tr><td>CWE</td><td>CWE-436</td></tr>
    
</table>
<table width="100%">
    <tr><td width="90%">Affected items</td><td width="10%">Variation</td></tr>
    
        
        <tr>
            <td width="90%"><a href="#link_id_2">Web Server</a></td>
            <td width="10%">1</td>
        </tr>
        
    
        
        <tr>
            <td width="90%"><a href="#link_id_2866">/index.php</a></td>
            <td width="10%">1</td>
        </tr>
        
    
</table>











    <!--alert_summary-->
<h4 class="ax-section-title ax-section-title--no-border">
    
        <img src="">
    
    User credentials are sent in clear text
</h4>
<table>
    <tr><td colspan="2" class="ax-alert-summary__title">Classification</td></tr>
    
        <tr><td>CVSS2</td><td>Base Score: 5.0<br>
Access Vector: Network_accessible<br>
Access Complexity: Low<br>
Authentication: None<br>
Confidentiality Impact: Partial<br>
Integrity Impact: None<br>
Availability Impact: None<br>
Exploitability: High<br>
Remediation Level: Workaround<br>
Report Confidence: Confirmed<br>
Availability Requirement: Not_defined<br>
Collateral Damage Potential: Not_defined<br>
Confidentiality Requirement: Not_defined<br>
Integrity Requirement: Not_defined<br>
Target Distribution: Not_defined<br>
</td></tr>
    
        <tr><td>CVSS3</td><td>Base Score: 9.1<br>
Attack Vector: Network<br>
Attack Complexity: Low<br>
Privileges Required: None<br>
User Interaction: None<br>
Scope: Unchanged<br>
Confidentiality Impact: High<br>
Integrity Impact: High<br>
Availability Impact: None<br>
</td></tr>
    
        <tr><td>CWE</td><td>CWE-310</td></tr>
    
</table>
<table width="100%">
    <tr><td width="90%">Affected items</td><td width="10%">Variation</td></tr>
    
        
        <tr>
            <td width="90%"><a href="#link_id_3094">/zb_system/login.php</a></td>
            <td width="10%">1</td>
        </tr>
        
    
</table>











    <!--alert_summary-->
<h4 class="ax-section-title ax-section-title--no-border">
    
        <img src="">
    
    Vulnerable Javascript library
</h4>
<table>
    <tr><td colspan="2" class="ax-alert-summary__title">Classification</td></tr>
    
        <tr><td>CVSS2</td><td>Base Score: 6.4<br>
Access Vector: Network_accessible<br>
Access Complexity: Low<br>
Authentication: None<br>
Confidentiality Impact: Partial<br>
Integrity Impact: Partial<br>
Availability Impact: None<br>
Exploitability: Not_defined<br>
Remediation Level: Not_defined<br>
Report Confidence: Not_defined<br>
Availability Requirement: Not_defined<br>
Collateral Damage Potential: Not_defined<br>
Confidentiality Requirement: Not_defined<br>
Integrity Requirement: Not_defined<br>
Target Distribution: Not_defined<br>
</td></tr>
    
        <tr><td>CVSS3</td><td>Base Score: 6.5<br>
Attack Vector: Network<br>
Attack Complexity: Low<br>
Privileges Required: None<br>
User Interaction: None<br>
Scope: Unchanged<br>
Confidentiality Impact: Low<br>
Integrity Impact: Low<br>
Availability Impact: None<br>
</td></tr>
    
        <tr><td>CWE</td><td>CWE-16</td></tr>
    
</table>
<table width="100%">
    <tr><td width="90%">Affected items</td><td width="10%">Variation</td></tr>
    
        
        <tr>
            <td width="90%"><a href="#link_id_451">/zb_system/script/common.js</a></td>
            <td width="10%">1</td>
        </tr>
        
    
</table>











    <!--alert_summary-->
<h4 class="ax-section-title ax-section-title--no-border">
    
        <img src="">
    
    Clickjacking: X-Frame-Options header missing
</h4>
<table>
    <tr><td colspan="2" class="ax-alert-summary__title">Classification</td></tr>
    
        <tr><td>CVSS2</td><td>Base Score: 6.8<br>
Access Vector: Network_accessible<br>
Access Complexity: Medium<br>
Authentication: None<br>
Confidentiality Impact: Partial<br>
Integrity Impact: Partial<br>
Availability Impact: Partial<br>
Exploitability: Not_defined<br>
Remediation Level: Not_defined<br>
Report Confidence: Not_defined<br>
Availability Requirement: Not_defined<br>
Collateral Damage Potential: Not_defined<br>
Confidentiality Requirement: Not_defined<br>
Integrity Requirement: Not_defined<br>
Target Distribution: Not_defined<br>
</td></tr>
    
        <tr><td>CWE</td><td>CWE-693</td></tr>
    
</table>
<table width="100%">
    <tr><td width="90%">Affected items</td><td width="10%">Variation</td></tr>
    
        
        <tr>
            <td width="90%"><a href="#link_id_2">Web Server</a></td>
            <td width="10%">1</td>
        </tr>
        
    
</table>











    <!--alert_summary-->
<h4 class="ax-section-title ax-section-title--no-border">
    
        <img src="">
    
    Cookie(s) without HttpOnly flag set
</h4>
<table>
    <tr><td colspan="2" class="ax-alert-summary__title">Classification</td></tr>
    
        <tr><td>CVSS2</td><td>Base Score: 0.0<br>
Access Vector: Network_accessible<br>
Access Complexity: Low<br>
Authentication: None<br>
Confidentiality Impact: None<br>
Integrity Impact: None<br>
Availability Impact: None<br>
Exploitability: Not_defined<br>
Remediation Level: Not_defined<br>
Report Confidence: Not_defined<br>
Availability Requirement: Not_defined<br>
Collateral Damage Potential: Not_defined<br>
Confidentiality Requirement: Not_defined<br>
Integrity Requirement: Not_defined<br>
Target Distribution: Not_defined<br>
</td></tr>
    
        <tr><td>CWE</td><td>CWE-16</td></tr>
    
</table>
<table width="100%">
    <tr><td width="90%">Affected items</td><td width="10%">Variation</td></tr>
    
        
        <tr>
            <td width="90%"><a href="#link_id_2">Web Server</a></td>
            <td width="10%">1</td>
        </tr>
        
    
</table>











    <!--alert_summary-->
<h4 class="ax-section-title ax-section-title--no-border">
    
        <img src="">
    
    Cookie(s) without Secure flag set
</h4>
<table>
    <tr><td colspan="2" class="ax-alert-summary__title">Classification</td></tr>
    
        <tr><td>CVSS2</td><td>Base Score: 0.0<br>
Access Vector: Network_accessible<br>
Access Complexity: Low<br>
Authentication: None<br>
Confidentiality Impact: None<br>
Integrity Impact: None<br>
Availability Impact: None<br>
Exploitability: Not_defined<br>
Remediation Level: Not_defined<br>
Report Confidence: Not_defined<br>
Availability Requirement: Not_defined<br>
Collateral Damage Potential: Not_defined<br>
Confidentiality Requirement: Not_defined<br>
Integrity Requirement: Not_defined<br>
Target Distribution: Not_defined<br>
</td></tr>
    
        <tr><td>CWE</td><td>CWE-16</td></tr>
    
</table>
<table width="100%">
    <tr><td width="90%">Affected items</td><td width="10%">Variation</td></tr>
    
        
        <tr>
            <td width="90%"><a href="#link_id_2">Web Server</a></td>
            <td width="10%">1</td>
        </tr>
        
    
</table>











    <!--alert_summary-->
<h4 class="ax-section-title ax-section-title--no-border">
    
        <img src="">
    
    Login page password-guessing attack
</h4>
<table>
    <tr><td colspan="2" class="ax-alert-summary__title">Classification</td></tr>
    
        <tr><td>CVSS2</td><td>Base Score: 5.0<br>
Access Vector: Network_accessible<br>
Access Complexity: Low<br>
Authentication: None<br>
Confidentiality Impact: Partial<br>
Integrity Impact: None<br>
Availability Impact: None<br>
Exploitability: Not_defined<br>
Remediation Level: Not_defined<br>
Report Confidence: Not_defined<br>
Availability Requirement: Not_defined<br>
Collateral Damage Potential: Not_defined<br>
Confidentiality Requirement: Not_defined<br>
Integrity Requirement: Not_defined<br>
Target Distribution: Not_defined<br>
</td></tr>
    
        <tr><td>CVSS3</td><td>Base Score: 5.3<br>
Attack Vector: Network<br>
Attack Complexity: Low<br>
Privileges Required: None<br>
User Interaction: None<br>
Scope: Unchanged<br>
Confidentiality Impact: None<br>
Integrity Impact: None<br>
Availability Impact: Low<br>
</td></tr>
    
        <tr><td>CWE</td><td>CWE-307</td></tr>
    
</table>
<table width="100%">
    <tr><td width="90%">Affected items</td><td width="10%">Variation</td></tr>
    
        
        <tr>
            <td width="90%"><a href="#link_id_3094">/zb_system/login.php</a></td>
            <td width="10%">1</td>
        </tr>
        
    
</table>











    <!--alert_summary-->
<h4 class="ax-section-title ax-section-title--no-border">
    
        <img src="">
    
    Possible relative path overwrite
</h4>
<table>
    <tr><td colspan="2" class="ax-alert-summary__title">Classification</td></tr>
    
        <tr><td>CVSS2</td><td>Base Score: 0.0<br>
Access Vector: Network_accessible<br>
Access Complexity: Low<br>
Authentication: None<br>
Confidentiality Impact: None<br>
Integrity Impact: None<br>
Availability Impact: None<br>
Exploitability: Not_defined<br>
Remediation Level: Not_defined<br>
Report Confidence: Not_defined<br>
Availability Requirement: Not_defined<br>
Collateral Damage Potential: Not_defined<br>
Confidentiality Requirement: Not_defined<br>
Integrity Requirement: Not_defined<br>
Target Distribution: Not_defined<br>
</td></tr>
    
        <tr><td>CWE</td><td>CWE-20</td></tr>
    
</table>
<table width="100%">
    <tr><td width="90%">Affected items</td><td width="10%">Variation</td></tr>
    
        
        <tr>
            <td width="90%"><a href="#link_id_3094">/zb_system/login.php</a></td>
            <td width="10%">1</td>
        </tr>
        
    
</table>











    <!--alert_summary-->
<h4 class="ax-section-title ax-section-title--no-border">
    
        <img src="">
    
    Possible sensitive directories
</h4>
<table>
    <tr><td colspan="2" class="ax-alert-summary__title">Classification</td></tr>
    
        <tr><td>CVSS2</td><td>Base Score: 5.0<br>
Access Vector: Network_accessible<br>
Access Complexity: Low<br>
Authentication: None<br>
Confidentiality Impact: Partial<br>
Integrity Impact: None<br>
Availability Impact: None<br>
Exploitability: Not_defined<br>
Remediation Level: Not_defined<br>
Report Confidence: Not_defined<br>
Availability Requirement: Not_defined<br>
Collateral Damage Potential: Not_defined<br>
Confidentiality Requirement: Not_defined<br>
Integrity Requirement: Not_defined<br>
Target Distribution: Not_defined<br>
</td></tr>
    
        <tr><td>CVSS3</td><td>Base Score: 7.5<br>
Attack Vector: Network<br>
Attack Complexity: Low<br>
Privileges Required: None<br>
User Interaction: None<br>
Scope: Unchanged<br>
Confidentiality Impact: High<br>
Integrity Impact: None<br>
Availability Impact: None<br>
</td></tr>
    
        <tr><td>CWE</td><td>CWE-200</td></tr>
    
</table>
<table width="100%">
    <tr><td width="90%">Affected items</td><td width="10%">Variation</td></tr>
    
        
        <tr>
            <td width="90%"><a href="#link_id_2">Web Server</a></td>
            <td width="10%">5</td>
        </tr>
        
    
</table>











    <!--alert_summary-->
<h4 class="ax-section-title ax-section-title--no-border">
    
        <img src="">
    
    Content Security Policy (CSP) not implemented
</h4>
<table>
    <tr><td colspan="2" class="ax-alert-summary__title">Classification</td></tr>
    
        <tr><td>CVSS2</td><td>Base Score: 0.0<br>
Access Vector: Network_accessible<br>
Access Complexity: Low<br>
Authentication: None<br>
Confidentiality Impact: None<br>
Integrity Impact: None<br>
Availability Impact: None<br>
Exploitability: Not_defined<br>
Remediation Level: Not_defined<br>
Report Confidence: Not_defined<br>
Availability Requirement: Not_defined<br>
Collateral Damage Potential: Not_defined<br>
Confidentiality Requirement: Not_defined<br>
Integrity Requirement: Not_defined<br>
Target Distribution: Not_defined<br>
</td></tr>
    
        <tr><td>CWE</td><td>CWE-16</td></tr>
    
</table>
<table width="100%">
    <tr><td width="90%">Affected items</td><td width="10%">Variation</td></tr>
    
        
        <tr>
            <td width="90%"><a href="#link_id_2">Web Server</a></td>
            <td width="10%">1</td>
        </tr>
        
    
</table>











    <!--alert_summary-->
<h4 class="ax-section-title ax-section-title--no-border">
    
        <img src="">
    
    Email address found
</h4>
<table>
    <tr><td colspan="2" class="ax-alert-summary__title">Classification</td></tr>
    
        <tr><td>CVSS2</td><td>Base Score: 0.0<br>
Access Vector: Network_accessible<br>
Access Complexity: Low<br>
Authentication: None<br>
Confidentiality Impact: None<br>
Integrity Impact: None<br>
Availability Impact: None<br>
Exploitability: Not_defined<br>
Remediation Level: Not_defined<br>
Report Confidence: Not_defined<br>
Availability Requirement: Not_defined<br>
Collateral Damage Potential: Not_defined<br>
Confidentiality Requirement: Not_defined<br>
Integrity Requirement: Not_defined<br>
Target Distribution: Not_defined<br>
</td></tr>
    
        <tr><td>CVSS3</td><td>Base Score: 0.0<br>
Attack Vector: Network<br>
Attack Complexity: Low<br>
Privileges Required: None<br>
User Interaction: None<br>
Scope: Unchanged<br>
Confidentiality Impact: None<br>
Integrity Impact: None<br>
Availability Impact: None<br>
</td></tr>
    
        <tr><td>CWE</td><td>CWE-200</td></tr>
    
</table>
<table width="100%">
    <tr><td width="90%">Affected items</td><td width="10%">Variation</td></tr>
    
        
        <tr>
            <td width="90%"><a href="#link_id_2">Web Server</a></td>
            <td width="10%">1</td>
        </tr>
        
    
        
        <tr>
            <td width="90%"><a href="#link_id_466">/feed.php</a></td>
            <td width="10%">1</td>
        </tr>
        
    
        
        <tr>
            <td width="90%"><a href="#link_id_2705">/zb_system/css/admin.css</a></td>
            <td width="10%">1</td>
        </tr>
        
    
</table>











    <!--alert_summary-->
<h4 class="ax-section-title ax-section-title--no-border">
    
        <img src="">
    
    Password type input with auto-complete enabled
</h4>
<table>
    <tr><td colspan="2" class="ax-alert-summary__title">Classification</td></tr>
    
        <tr><td>CVSS2</td><td>Base Score: 0.0<br>
Access Vector: Network_accessible<br>
Access Complexity: Low<br>
Authentication: None<br>
Confidentiality Impact: None<br>
Integrity Impact: None<br>
Availability Impact: None<br>
Exploitability: Not_defined<br>
Remediation Level: Not_defined<br>
Report Confidence: Not_defined<br>
Availability Requirement: Not_defined<br>
Collateral Damage Potential: Not_defined<br>
Confidentiality Requirement: Not_defined<br>
Integrity Requirement: Not_defined<br>
Target Distribution: Not_defined<br>
</td></tr>
    
        <tr><td>CVSS3</td><td>Base Score: 7.5<br>
Attack Vector: Network<br>
Attack Complexity: Low<br>
Privileges Required: None<br>
User Interaction: None<br>
Scope: Unchanged<br>
Confidentiality Impact: High<br>
Integrity Impact: None<br>
Availability Impact: None<br>
</td></tr>
    
        <tr><td>CWE</td><td>CWE-200</td></tr>
    
</table>
<table width="100%">
    <tr><td width="90%">Affected items</td><td width="10%">Variation</td></tr>
    
        
        <tr>
            <td width="90%"><a href="#link_id_2">Web Server</a></td>
            <td width="10%">1</td>
        </tr>
        
    
</table>











    <!--alert_summary-->
<h4 class="ax-section-title ax-section-title--no-border">
    
        <img src="">
    
    Possible internal IP address disclosure
</h4>
<table>
    <tr><td colspan="2" class="ax-alert-summary__title">Classification</td></tr>
    
        <tr><td>CVSS2</td><td>Base Score: 5.0<br>
Access Vector: Network_accessible<br>
Access Complexity: Low<br>
Authentication: None<br>
Confidentiality Impact: Partial<br>
Integrity Impact: None<br>
Availability Impact: None<br>
Exploitability: Not_defined<br>
Remediation Level: Not_defined<br>
Report Confidence: Not_defined<br>
Availability Requirement: Not_defined<br>
Collateral Damage Potential: Not_defined<br>
Confidentiality Requirement: Not_defined<br>
Integrity Requirement: Not_defined<br>
Target Distribution: Not_defined<br>
</td></tr>
    
        <tr><td>CVSS3</td><td>Base Score: 7.5<br>
Attack Vector: Network<br>
Attack Complexity: Low<br>
Privileges Required: None<br>
User Interaction: None<br>
Scope: Unchanged<br>
Confidentiality Impact: High<br>
Integrity Impact: None<br>
Availability Impact: None<br>
</td></tr>
    
        <tr><td>CWE</td><td>CWE-200</td></tr>
    
</table>
<table width="100%">
    <tr><td width="90%">Affected items</td><td width="10%">Variation</td></tr>
    
        
        <tr>
            <td width="90%"><a href="#link_id_2">Web Server</a></td>
            <td width="10%">1</td>
        </tr>
        
    
        
        <tr>
            <td width="90%"><a href="#link_id_466">/feed.php</a></td>
            <td width="10%">1</td>
        </tr>
        
    
</table>











    <!--alert_summary-->
<h4 class="ax-section-title ax-section-title--no-border">
    
        <img src="">
    
    Possible server path disclosure (Unix)
</h4>
<table>
    <tr><td colspan="2" class="ax-alert-summary__title">Classification</td></tr>
    
        <tr><td>CVSS2</td><td>Base Score: 5.0<br>
Access Vector: Network_accessible<br>
Access Complexity: Low<br>
Authentication: None<br>
Confidentiality Impact: Partial<br>
Integrity Impact: None<br>
Availability Impact: None<br>
Exploitability: Not_defined<br>
Remediation Level: Not_defined<br>
Report Confidence: Not_defined<br>
Availability Requirement: Not_defined<br>
Collateral Damage Potential: Not_defined<br>
Confidentiality Requirement: Not_defined<br>
Integrity Requirement: Not_defined<br>
Target Distribution: Not_defined<br>
</td></tr>
    
        <tr><td>CVSS3</td><td>Base Score: 7.5<br>
Attack Vector: Network<br>
Attack Complexity: Low<br>
Privileges Required: None<br>
User Interaction: None<br>
Scope: Unchanged<br>
Confidentiality Impact: High<br>
Integrity Impact: None<br>
Availability Impact: None<br>
</td></tr>
    
        <tr><td>CWE</td><td>CWE-200</td></tr>
    
</table>
<table width="100%">
    <tr><td width="90%">Affected items</td><td width="10%">Variation</td></tr>
    
        
        <tr>
            <td width="90%"><a href="#link_id_466">/feed.php</a></td>
            <td width="10%">1</td>
        </tr>
        
    
</table>











    <h3 class="page-break ax-section-title">
    Alerts details
</h3>











    <h3 class="ax-section-title ax-section-title--big">
    
        <img src="">
    
    Application error message
</h3>

<table border="1" class="ax-alert-info">
    <tr>
        <td>
            Severity
        </td>
        <td class="ax-alert-info__severity_value">
            Medium
        </td>
    </tr>
    <tr>
        <td>
            Reported by module
        </td>
        <td>
            /Scripts/PerScheme/Error_Message.script
        </td>
    </tr>
</table>

<h4 class="ax-section-title">
    Description
</h4>

<p>
    
    <div class="bb-coolbox"><span class="bb-dark">This alert requires manual confirmation</span></div><br/>

Application error or warning messages may expose sensitive information about an application's internal workings to an attacker.<br/><br/>

Acunetix found an error or warning message that may disclose sensitive information. The message may also contain the location of the file that produced an unhandled exception. Consult the 'Attack details' section for more information about the affected page.
    
</p>

<h4 class="ax-section-title">
    Impact
</h4>

<p>
    Error messages may disclose sensitive information which can be used to escalate attacks.
</p>

<h4 class="ax-section-title">
    Recommendation
</h4>

<p>
    Verify that this page is disclosing error or warning messages and properly configure the application to log errors to a file instead of displaying the error to the user.
</p>


<h4 class="ax-section-title">
    References
</h4>

<p>
    
    <a href="http://www.php.net/manual/en/errorfunc.configuration.php#ini.display-errors">PHP Runtime Configuration</a><br>
    
    <a href="https://www.owasp.org/index.php/Improper_Error_Handling">Improper Error Handling</a><br>
    
</p>


<h4 class="ax-section-title">
    Affected items
</h4>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_2"><b>
        
        Web Server
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td>URL encoded GET input <strong><span class="bb-dark">id</span></strong> was set to <strong><span class="bb-dark">&quot;&quot; (empty)</span></strong><br/><br/> Pattern found: <pre><span class="bb-blue">Internal Server Error</span></pre> </td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /?id= HTTP/1.1
Referer: http://www.vbboy.com/
Connection: keep-alive
Cookie: __cfduid=d43ae5e468ec3f365b9d50b98456d83f81558927330
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
</code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_419"><b>
        
        /zb_system/cmd.php
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td>Cookie input <strong><span class="bb-dark">__cfduid</span></strong> was set to <strong><span class="bb-dark">VVEwS2Yyb3daYVdobFZ2bjdySG5waVRLc1hWZTZ2cTZDb3JZc1hJMUxPbQ==</span></strong><br/><br/> Pattern found: <pre><span class="bb-blue">Internal Server Error</span></pre> </td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_system/cmd.php HTTP/1.1
Referer: https://www.google.com/search?hl=en&amp;q=testing
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Cookie: __cfduid=VVEwS2Yyb3daYVdobFZ2bjdySG5waVRLc1hWZTZ2cTZDb3JZc1hJMUxPbQ==
Connection: keep-alive
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
</code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_419"><b>
        
        /zb_system/cmd.php
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td>URL encoded GET input <strong><span class="bb-dark">act</span></strong> was set to <strong><span class="bb-dark">&quot;&quot; (empty)</span></strong><br/><br/> Pattern found: <pre><span class="bb-blue">Internal Server Error</span></pre> </td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_system/cmd.php?act=&amp;type=vrs HTTP/1.1
Referer: http://www.vbboy.com/
Connection: keep-alive
Cookie: __cfduid=d49d060cf82d9f3d08d666cfbffb709ce1558927586;bdshare_firstime=1558927572005;captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
</code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_419"><b>
        
        /zb_system/cmd.php
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td>URL encoded GET input <strong><span class="bb-dark">act</span></strong> was set to <strong><span class="bb-dark">&quot;&quot; (empty)</span></strong><br/><br/> Pattern found: <pre><span class="bb-blue">Internal Server Error</span></pre> </td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_system/cmd.php?act= HTTP/1.1
Referer: http://www.vbboy.com/
Connection: keep-alive
Cookie: __cfduid=d49d060cf82d9f3d08d666cfbffb709ce1558927586;bdshare_firstime=1558927572005;captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
</code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_419"><b>
        
        /zb_system/cmd.php
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td>URL encoded GET input <strong><span class="bb-dark">act</span></strong> was set to <strong><span class="bb-dark">&quot;&quot; (empty)</span></strong><br/><br/> Pattern found: <pre><span class="bb-blue">Internal Server Error</span></pre> </td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_system/cmd.php?act=&amp;src= HTTP/1.1
Referer: http://www.vbboy.com/
Connection: keep-alive
Cookie: __cfduid=d49d060cf82d9f3d08d666cfbffb709ce1558927586;bdshare_firstime=1558927572005;captcha_1336931493=8595f002250d3e8932b0d7f765d8fb9d;captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
</code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_419"><b>
        
        /zb_system/cmd.php
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td>Cookie input <strong><span class="bb-dark">captcha_1336931493</span></strong> was set to <strong><span class="bb-dark">aUtDa0M0THpZVTVNdlU2QnQ1TkpURTdpeEFXalB0S1E=</span></strong><br/><br/> Pattern found: <pre><span class="bb-blue">Internal Server Error</span></pre> </td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_system/cmd.php HTTP/1.1
Referer: https://www.google.com/search?hl=en&amp;q=testing
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Cookie: __cfduid=d49d060cf82d9f3d08d666cfbffb709ce1558927586;bdshare_firstime=1558927572005;captcha_1336931493=aUtDa0M0THpZVTVNdlU2QnQ1TkpURTdpeEFXalB0S1E=;captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c
Connection: keep-alive
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
</code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_419"><b>
        
        /zb_system/cmd.php
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td>Cookie input <strong><span class="bb-dark">captcha_3688958368</span></strong> was set to <strong><span class="bb-dark">clUyb0FsWGZrTkZqb1BhUG13cGVZMjZLSktKSFBxMlU=</span></strong><br/><br/> Pattern found: <pre><span class="bb-blue">Internal Server Error</span></pre> </td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_system/cmd.php HTTP/1.1
Referer: https://www.google.com/search?hl=en&amp;q=testing
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Cookie: __cfduid=d49d060cf82d9f3d08d666cfbffb709ce1558927586;bdshare_firstime=1558927572005;captcha_1336931493=9ef3524f7b76d0b91855655bd0f01c1c;captcha_3688958368=clUyb0FsWGZrTkZqb1BhUG13cGVZMjZLSktKSFBxMlU=
Connection: keep-alive
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
</code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_419"><b>
        
        /zb_system/cmd.php
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td>URL encoded POST input <strong><span class="bb-dark">sumbit</span></strong> was set to <strong><span class="bb-dark">dUEwQ0NEV0x3RUFTOFZjalZmaHJTTlpnZ1lPZmhCWUM=</span></strong><br/><br/> Pattern found: <pre><span class="bb-blue">Internal Server Error</span></pre> </td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">POST /zb_system/cmd.php?act=sample%40email.tst&amp;key=http://www.vulnweb.com&amp;postid=2 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Cookie: __cfduid=d49d060cf82d9f3d08d666cfbffb709ce1558927586;bdshare_firstime=1558927572005;captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c
Accept: */*
Accept-Encoding: gzip,deflate
Content-Length: 183
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
inpEmail=%E8%AE%BF%E5%AE%A2&amp;inpHomePage=0&amp;inpId=g00dPa%24%24w0rD&amp;inpName=sumbit=%E6%8F%90%E4%BA%A4&amp;inpRevID=555&amp;inpVerify=cmt&amp;dUEwQ0NEV0x3RUFTOFZjalZmaHJTTlpnZ1lPZmhCWUM=&amp;txaArticle=2</code></td></tr>
</table>











    <h3 class="ax-section-title ax-section-title--big">
    
        <img src="">
    
    Error message on page
</h3>

<table border="1" class="ax-alert-info">
    <tr>
        <td>
            Severity
        </td>
        <td class="ax-alert-info__severity_value">
            Medium
        </td>
    </tr>
    <tr>
        <td>
            Reported by module
        </td>
        <td>
            /Scripts/PerFolder/Text_Search_Dir.script
        </td>
    </tr>
</table>

<h4 class="ax-section-title">
    Description
</h4>

<p>
    
    <div class="bb-coolbox"><span class="bb-dark">This alert requires manual confirmation</span></div><br/>

Application error or warning messages may expose sensitive information about an application's internal workings to an attacker.<br/><br/>

Acunetix found an error or warning message that may disclose sensitive information. The message may also contain the location of the file that produced an unhandled exception. Consult the 'Attack details' section for more information about the affected page.
    
</p>

<h4 class="ax-section-title">
    Impact
</h4>

<p>
    Error messages may disclose sensitive information which can be used to escalate attacks.
</p>

<h4 class="ax-section-title">
    Recommendation
</h4>

<p>
    Verify that this page is disclosing error or warning messages and properly configure the application to log errors to a file instead of displaying the error to the user.
</p>


<h4 class="ax-section-title">
    References
</h4>

<p>
    
    <a href="http://www.php.net/manual/en/errorfunc.configuration.php#ini.display-errors">PHP Runtime Configuration</a><br>
    
    <a href="https://www.owasp.org/index.php/Improper_Error_Handling">Improper Error Handling</a><br>
    
</p>


<h4 class="ax-section-title">
    Affected items
</h4>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_3106"><b>
        
        /zb_system/admin/
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td> Pattern found: <pre><span class="bb-blue">Internal Server Error</span></pre> </td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line"></code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_419"><b>
        
        /zb_system/cmd.php
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td> Pattern found: <pre><span class="bb-blue">Internal Server Error</span></pre> </td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line"></code></td></tr>
</table>











    <h3 class="ax-section-title ax-section-title--big">
    
        <img src="">
    
    HTML form without CSRF protection
</h3>

<table border="1" class="ax-alert-info">
    <tr>
        <td>
            Severity
        </td>
        <td class="ax-alert-info__severity_value">
            Medium
        </td>
    </tr>
    <tr>
        <td>
            Reported by module
        </td>
        <td>
            /Crawler/12-Crawler_Form_NO_CSRF.js
        </td>
    </tr>
</table>

<h4 class="ax-section-title">
    Description
</h4>

<p>
    
    <div class="bb-coolbox"><span class="bb-dark">This alert requires manual confirmation</span></div><br/>

Cross-Site Request Forgery (CSRF, or XSRF) is a vulnerability wherein an attacker tricks a victim into making a request the victim did not intend to make. Therefore, with CSRF, an attacker abuses the trust a web application has with a victim's browser.<br/><br/>

Acunetix found an HTML form with no apparent anti-CSRF protection implemented. Consult the 'Attack details' section for more information about the affected HTML form.
    
</p>

<h4 class="ax-section-title">
    Impact
</h4>

<p>
    An attacker could use CSRF to trick a victim into accessing a website hosted by the attacker, or clicking a URL containing malicious or unauthorized requests.<br/><br/>

CSRF is a type of 'confused deputy' attack which leverages the authentication and authorization of the victim when the forged request is being sent to the web server. Therefore, if a CSRF vulnerability could affect highly privileged users such as administrators full application compromise may be possible.
</p>

<h4 class="ax-section-title">
    Recommendation
</h4>

<p>
    Verify if this form requires anti-CSRF protection and implement CSRF countermeasures if necessary.<br/><br/>

The recommended and the most widely used technique for preventing CSRF attacks is know as an anti-CSRF token, also sometimes referred to as a synchronizer token. The characteristics of a well designed anti-CSRF system involve the following attributes.<br/><br/>

<ul>
  <li>The anti-CSRF token should be unique for each user session</li>
  <li>The session should automatically expire after a suitable amount of time</li>
  <li>The anti-CSRF token should be a cryptographically random value of significant length</li>
  <li>The anti-CSRF token should be cryptographically secure, that is, generated by a strong Pseudo-Random Number Generator (PRNG) algorithm</li>
  <li>The anti-CSRF token is added as a hidden field for forms, or within URLs (only necessary if GET requests cause state changes, that is, GET requests are not idempotent)</li>
  <li>The server should reject the requested action if the anti-CSRF token fails validation</li>
</ul><br/>

When a user submits a form or makes some other authenticated request that requires a Cookie, the anti-CSRF token should be included in the request. Then, the web application will then verify the existence and correctness of this token before processing the request. If the token is missing or incorrect, the request can be rejected.
</p>


<h4 class="ax-section-title">
    References
</h4>

<p>
    
    <a href="https://www.acunetix.com/websitesecurity/csrf-attacks/">What is Cross Site Reference Forgery (CSRF)?</a><br>
    
    <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet">Cross-Site Request Forgery (CSRF) Prevention Cheatsheet</a><br>
    
    <a href="http://www.cgisecurity.com/csrf-faq.html">The Cross-Site Request Forgery (CSRF/XSRF) FAQ</a><br>
    
    <a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery">Cross-site Request Forgery</a><br>
    
</p>


<h4 class="ax-section-title">
    Affected items
</h4>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_2"><b>
        
        Web Server
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td></td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET / HTTP/1.1
Cookie: __cfduid=d589445540f537ce52b017dec798734701558927323
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive
</code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_2866"><b>
        
        /index.php
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td></td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /index.php HTTP/1.1
Cookie: __cfduid=d49d060cf82d9f3d08d666cfbffb709ce1558927586;bdshare_firstime=1558927572005;captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive
</code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_3106"><b>
        
        /zb_system/admin/
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td></td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_system/admin/ HTTP/1.1
Cookie: __cfduid=d49d060cf82d9f3d08d666cfbffb709ce1558927586;bdshare_firstime=1558927572005;captcha_1336931493=8595f002250d3e8932b0d7f765d8fb9d;captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive
</code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_419"><b>
        
        /zb_system/cmd.php
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td></td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_system/cmd.php?act=misc&amp;type=vrs HTTP/1.1
Cookie: __cfduid=d49d060cf82d9f3d08d666cfbffb709ce1558927586;bdshare_firstime=1558927572005;captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive
</code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_3094"><b>
        
        /zb_system/login.php
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td></td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_system/login.php HTTP/1.1
Cookie: __cfduid=d49d060cf82d9f3d08d666cfbffb709ce1558927586;bdshare_firstime=1558927572005;captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive
</code></td></tr>
</table>











    <h3 class="ax-section-title ax-section-title--big">
    
        <img src="">
    
    URL rewrite vulnerability
</h3>

<table border="1" class="ax-alert-info">
    <tr>
        <td>
            Severity
        </td>
        <td class="ax-alert-info__severity_value">
            Medium
        </td>
    </tr>
    <tr>
        <td>
            Reported by module
        </td>
        <td>
            /httpdata/request_url_override.js
        </td>
    </tr>
</table>

<h4 class="ax-section-title">
    Description
</h4>

<p>
    
    It was identified that this application supports the legacy headers <strong>X-Original-URL</strong> and/or <strong>X-Rewrite-URL</strong>. <br/><br/>


Support for these headers lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header and  allows a user to access one URL but have web application return a different one which can bypass restrictions on higher level caches and web servers. <br/><br/>

Many web frameworks such as Symfony 2.7.0 to 2.7.48, 2.8.0 to 2.8.43, 3.3.0 to 3.3.17, 3.4.0 to 3.4.13, 4.0.0 to 4.0.13 and 4.1.0 to 4.1.2 , zend-diactoros up to 1.8.4, zend-http up to 2.8.1, zend-feed up to 2.10.3 are affected by this security issue.
    
</p>

<h4 class="ax-section-title">
    Impact
</h4>

<p>
    The impact of this vulnerability depends on the affected web application/framework.
</p>

<h4 class="ax-section-title">
    Recommendation
</h4>

<p>
    Upgrade the affected web frameworks to their latest versions.
</p>


<h4 class="ax-section-title">
    References
</h4>

<p>
    
    <a href="https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers">CVE-2018-14773: Remove support for legacy and risky HTTP headers</a><br>
    
    <a href="https://framework.zend.com/security/advisory/ZF2018-01">ZF2018-01: URL Rewrite vulnerability</a><br>
    
</p>


<h4 class="ax-section-title">
    Affected items
</h4>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_2"><b>
        
        Web Server
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td></td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /?cb762117=1 HTTP/1.1
X-Original-URL: /sgoxxalhcd
X-Rewrite-URL: /sgoxxalhcd
Cookie: __cfduid=d43ae5e468ec3f365b9d50b98456d83f81558927330
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive
</code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_2866"><b>
        
        /index.php
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td></td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /index.php?cb155626=1 HTTP/1.1
X-Original-URL: /mnagniskxy
X-Rewrite-URL: /mnagniskxy
Cookie: __cfduid=d49d060cf82d9f3d08d666cfbffb709ce1558927586;bdshare_firstime=1558927572005;captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive
</code></td></tr>
</table>











    <h3 class="ax-section-title ax-section-title--big">
    
        <img src="">
    
    User credentials are sent in clear text
</h3>

<table border="1" class="ax-alert-info">
    <tr>
        <td>
            Severity
        </td>
        <td class="ax-alert-info__severity_value">
            Medium
        </td>
    </tr>
    <tr>
        <td>
            Reported by module
        </td>
        <td>
            /Crawler/12-Crawler_User_Credentials_Plain_Text.js
        </td>
    </tr>
</table>

<h4 class="ax-section-title">
    Description
</h4>

<p>
    
    User credentials are transmitted over an unencrypted channel. This information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users.
    
</p>

<h4 class="ax-section-title">
    Impact
</h4>

<p>
    A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.
</p>

<h4 class="ax-section-title">
    Recommendation
</h4>

<p>
    Because user credentials are considered sensitive information, should always be transferred to the server over an encrypted connection (HTTPS).
</p>



<h4 class="ax-section-title">
    Affected items
</h4>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_3094"><b>
        
        /zb_system/login.php
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td></td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_system/login.php HTTP/1.1
Cookie: __cfduid=d49d060cf82d9f3d08d666cfbffb709ce1558927586;bdshare_firstime=1558927572005;captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive
</code></td></tr>
</table>











    <h3 class="ax-section-title ax-section-title--big">
    
        <img src="">
    
    Vulnerable Javascript library
</h3>

<table border="1" class="ax-alert-info">
    <tr>
        <td>
            Severity
        </td>
        <td class="ax-alert-info__severity_value">
            Medium
        </td>
    </tr>
    <tr>
        <td>
            Reported by module
        </td>
        <td>
            /Scripts/PerFile/Javascript_Libraries_Audit.script
        </td>
    </tr>
</table>

<h4 class="ax-section-title">
    Description
</h4>

<p>
    
    You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascript library. Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were reported.
    
</p>

<h4 class="ax-section-title">
    Impact
</h4>

<p>
    Consult References for more information.
</p>

<h4 class="ax-section-title">
    Recommendation
</h4>

<p>
    Upgrade to the latest version.
</p>



<h4 class="ax-section-title">
    Affected items
</h4>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_451"><b>
        
        /zb_system/script/common.js
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td>Detected Javascript library <strong>jquery</strong> version <span class="bb-dark"><strong>1.8.3</strong></span>. <br/>The version was detected from <strong>file content</strong>.<br/><br/>  References: <ul>               <li>https://github.com/jquery/jquery/issues/2432</li>               <li>http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/</li>      </ul></td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_system/script/common.js HTTP/1.1
Cookie: __cfduid=d49d060cf82d9f3d08d666cfbffb709ce1558927586;bdshare_firstime=1558927572005;captcha_1336931493=8595f002250d3e8932b0d7f765d8fb9d;captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive
</code></td></tr>
</table>











    <h3 class="ax-section-title ax-section-title--big">
    
        <img src="">
    
    Clickjacking: X-Frame-Options header missing
</h3>

<table border="1" class="ax-alert-info">
    <tr>
        <td>
            Severity
        </td>
        <td class="ax-alert-info__severity_value">
            Low
        </td>
    </tr>
    <tr>
        <td>
            Reported by module
        </td>
        <td>
            /Scripts/PerServer/Clickjacking_X_Frame_Options.script
        </td>
    </tr>
</table>

<h4 class="ax-section-title">
    Description
</h4>

<p>
    
    Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. <br/><br/>
The server didn't return an <strong>X-Frame-Options</strong> header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

    
</p>

<h4 class="ax-section-title">
    Impact
</h4>

<p>
    The impact depends on the affected web application. 
</p>

<h4 class="ax-section-title">
    Recommendation
</h4>

<p>
    Configure your web server to include an  X-Frame-Options header. Consult Web references for more information about the possible values for this header.
</p>


<h4 class="ax-section-title">
    References
</h4>

<p>
    
    <a href="https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options">The X-Frame-Options response header</a><br>
    
    <a href="http://en.wikipedia.org/wiki/Clickjacking">Clickjacking</a><br>
    
    <a href="https://www.owasp.org/index.php/Clickjacking">OWASP Clickjacking</a><br>
    
    <a href="https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Defending_with_Content_Security_Policy_frame-ancestors_directive">Defending with Content Security Policy frame-ancestors directive</a><br>
    
    <a href="http://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed">Frame Buster Buster</a><br>
    
</p>


<h4 class="ax-section-title">
    Affected items
</h4>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_2"><b>
        
        Web Server
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td></td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET / HTTP/1.1
Connection: keep-alive
Cookie: __cfduid=d43ae5e468ec3f365b9d50b98456d83f81558927330
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
</code></td></tr>
</table>











    <h3 class="ax-section-title ax-section-title--big">
    
        <img src="">
    
    Cookie(s) without HttpOnly flag set
</h3>

<table border="1" class="ax-alert-info">
    <tr>
        <td>
            Severity
        </td>
        <td class="ax-alert-info__severity_value">
            Low
        </td>
    </tr>
    <tr>
        <td>
            Reported by module
        </td>
        <td>
            /RPA/Cookie_Without_HttpOnly.js
        </td>
    </tr>
</table>

<h4 class="ax-section-title">
    Description
</h4>

<p>
    
    This cookie does not have the HttpOnly flag set. When a cookie is set with the HttpOnly flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies.
    
</p>

<h4 class="ax-section-title">
    Impact
</h4>

<p>
    Cookies can be accessed by client-side scripts.
</p>

<h4 class="ax-section-title">
    Recommendation
</h4>

<p>
    If possible, you should set the HttpOnly flag for this cookie.
</p>



<h4 class="ax-section-title">
    Affected items
</h4>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_2"><b>
        
        Web Server
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td>captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c; path=/</td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_system/script/c_validcode.php?id=cmt&amp;tm=0.36580236262377785 HTTP/1.1
Host: www.vbboy.com
X-WVS-ID: 2
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Referer: http://www.vbboy.com/?id=2
Accept-Encoding: gzip,deflate
Accept-Language: en-US
Cookie: UM_distinctid=16af752a58b298-0f3603aa1ec26f-1e1c7f57-75300-16af752a58c6e4; CNZZDATA1260370248=404584257-1558924339-%7C1558924339; timezone=8; __cfduid=d43ae5e468ec3f365b9d50b98456d83f81558927330; captcha_3688958368=834caaf8f26f9fd3ab36d8b247a6b338
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
</code></td></tr>
</table>











    <h3 class="ax-section-title ax-section-title--big">
    
        <img src="">
    
    Cookie(s) without Secure flag set
</h3>

<table border="1" class="ax-alert-info">
    <tr>
        <td>
            Severity
        </td>
        <td class="ax-alert-info__severity_value">
            Low
        </td>
    </tr>
    <tr>
        <td>
            Reported by module
        </td>
        <td>
            /RPA/Cookie_Without_Secure.js
        </td>
    </tr>
</table>

<h4 class="ax-section-title">
    Description
</h4>

<p>
    
    This cookie does not have the Secure flag set. When a cookie is set with the Secure flag, it instructs the browser that the cookie can only be accessed over secure SSL/TLS channels. This is an important security protection for session cookies.
    
</p>

<h4 class="ax-section-title">
    Impact
</h4>

<p>
    Cookies could be sent over unencrypted channels.
</p>

<h4 class="ax-section-title">
    Recommendation
</h4>

<p>
    If possible, you should set the Secure flag for this cookie.
</p>



<h4 class="ax-section-title">
    Affected items
</h4>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_2"><b>
        
        Web Server
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td>captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c; path=/</td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_system/script/c_validcode.php?id=cmt&amp;tm=0.36580236262377785 HTTP/1.1
Host: www.vbboy.com
X-WVS-ID: 2
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Referer: http://www.vbboy.com/?id=2
Accept-Encoding: gzip,deflate
Accept-Language: en-US
Cookie: UM_distinctid=16af752a58b298-0f3603aa1ec26f-1e1c7f57-75300-16af752a58c6e4; CNZZDATA1260370248=404584257-1558924339-%7C1558924339; timezone=8; __cfduid=d43ae5e468ec3f365b9d50b98456d83f81558927330; captcha_3688958368=834caaf8f26f9fd3ab36d8b247a6b338
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
</code></td></tr>
</table>











    <h3 class="ax-section-title ax-section-title--big">
    
        <img src="">
    
    Login page password-guessing attack
</h3>

<table border="1" class="ax-alert-info">
    <tr>
        <td>
            Severity
        </td>
        <td class="ax-alert-info__severity_value">
            Low
        </td>
    </tr>
    <tr>
        <td>
            Reported by module
        </td>
        <td>
            /Scripts/PerScheme/Html_Authentication_Audit.script
        </td>
    </tr>
</table>

<h4 class="ax-section-title">
    Description
</h4>

<p>
    
    A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. <br/><br/>

This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended to implement some type of account lockout after a defined number of incorrect password attempts. Consult Web references for more information about fixing this problem.
    
</p>

<h4 class="ax-section-title">
    Impact
</h4>

<p>
    An attacker may attempt to discover a weak password by systematically trying every possible combination of letters, numbers, and symbols until it discovers the one correct combination that works.
</p>

<h4 class="ax-section-title">
    Recommendation
</h4>

<p>
    It's recommended to implement some type of account lockout after a defined number of incorrect password attempts.
</p>


<h4 class="ax-section-title">
    References
</h4>

<p>
    
    <a href="http://www.owasp.org/index.php/Blocking_Brute_Force_Attacks">Blocking Brute Force Attacks</a><br>
    
</p>


<h4 class="ax-section-title">
    Affected items
</h4>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_3094"><b>
        
        /zb_system/login.php
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td>The scanner tested 10 invalid credentials and no account lockout was detected.</td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">POST /zb_system/login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: http://www.vbboy.com/
Connection: keep-alive
Accept: */*
Accept-Encoding: gzip,deflate
Content-Length: 127
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
btnPost=%E7%99%BB%E5%BD%95&amp;chkRemember=on&amp;dishtml5=0&amp;edtPassWord=UVbAwemc&amp;edtUserName=0rzVbhmE&amp;password=1&amp;savedate=0&amp;username=1</code></td></tr>
</table>











    <h3 class="ax-section-title ax-section-title--big">
    
        <img src="">
    
    Possible relative path overwrite
</h3>

<table border="1" class="ax-alert-info">
    <tr>
        <td>
            Severity
        </td>
        <td class="ax-alert-info__severity_value">
            Low
        </td>
    </tr>
    <tr>
        <td>
            Reported by module
        </td>
        <td>
            /Scripts/PerFile/Relative_Path_Overwrite.script
        </td>
    </tr>
</table>

<h4 class="ax-section-title">
    Description
</h4>

<p>
    
    <div class="bb-coolbox"><span class="bb-dark">Manual confirmation is required for this alert.</span></div><br/>
Gareth Heyes introduced a technique to take advantage of CSS imports with relative URLs by overwriting their target file. This technique can be used by an attacker to trick browsers into importing HTML pages as CSS stylesheets. If the attacker can control a part of the imported HTML pages he can abuse this issue to inject arbitrary CSS rules.

    
</p>

<h4 class="ax-section-title">
    Impact
</h4>

<p>
    On older versions of Internet Explorer it's possible to execute arbitrary JavaScript code using Internet Explorer's expression() function. An attacker can also extract the page source and potentially steal CSRF tokens using CSS selectors.
</p>

<h4 class="ax-section-title">
    Recommendation
</h4>

<p>
    If possible, it's recommended to use absolute links for CSS imports. The problem can be partially mitigated by preventing framing. To prevent framing configure your web server to include an  X-Frame-Options: deny header on all pages.
</p>


<h4 class="ax-section-title">
    References
</h4>

<p>
    
    <a href="http://www.thespanner.co.uk/2014/03/21/rpo/">Relative Path Overwrite</a><br>
    
</p>


<h4 class="ax-section-title">
    Affected items
</h4>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_3094"><b>
        
        /zb_system/login.php
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td>A CSS import from a relative path was found on this page: <pre>&lt;link rel=&quot;stylesheet&quot; href=&quot;css/admin.css&quot; type=&quot;text/css&quot; media=&quot;screen&quot; /&gt;</pre> The same relative CSS import is present even when a random string was placed after the filename. Also, the response is frameable.</td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_system/login.php/iBdxJ/ HTTP/1.1
Connection: keep-alive
Cookie: __cfduid=d49d060cf82d9f3d08d666cfbffb709ce1558927586;bdshare_firstime=1558927572005;captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
</code></td></tr>
</table>











    <h3 class="ax-section-title ax-section-title--big">
    
        <img src="">
    
    Possible sensitive directories
</h3>

<table border="1" class="ax-alert-info">
    <tr>
        <td>
            Severity
        </td>
        <td class="ax-alert-info__severity_value">
            Low
        </td>
    </tr>
    <tr>
        <td>
            Reported by module
        </td>
        <td>
            /Scripts/PerFolder/Possible_Sensitive_Directories.script
        </td>
    </tr>
</table>

<h4 class="ax-section-title">
    Description
</h4>

<p>
    
    A possible sensitive directory has been found. This directory is not directly linked from the website.This check looks for common sensitive resources like backup directories, database dumps, administration pages, temporary directories. Each one of these directories could help an attacker to learn more about his target.
    
</p>

<h4 class="ax-section-title">
    Impact
</h4>

<p>
    This directory may expose sensitive information that could help a malicious user to prepare more advanced attacks.
</p>

<h4 class="ax-section-title">
    Recommendation
</h4>

<p>
    Restrict access to this directory or remove it from the website.
</p>


<h4 class="ax-section-title">
    References
</h4>

<p>
    
    <a href="http://www.acunetix.com/websitesecurity/webserver-security/">Web Server Security and Database Server Security</a><br>
    
</p>


<h4 class="ax-section-title">
    Affected items
</h4>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_2"><b>
        
        Web Server
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td></td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_system/admin HTTP/1.1
Accept: acunetix/wvs
Range: bytes=0-99999
Connection: keep-alive
Cookie: __cfduid=d49d060cf82d9f3d08d666cfbffb709ce1558927586;bdshare_firstime=1558927572005;captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
</code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_2"><b>
        
        Web Server
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td></td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_users/upload HTTP/1.1
Accept: acunetix/wvs
Range: bytes=0-99999
Connection: keep-alive
Cookie: __cfduid=d49d060cf82d9f3d08d666cfbffb709ce1558927586;bdshare_firstime=1558927572005;captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
</code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_2"><b>
        
        Web Server
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td></td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_users/logs HTTP/1.1
Accept: acunetix/wvs
Range: bytes=0-99999
Connection: keep-alive
Cookie: __cfduid=d49d060cf82d9f3d08d666cfbffb709ce1558927586;bdshare_firstime=1558927572005;captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
</code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_2"><b>
        
        Web Server
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td></td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_system/image/admin HTTP/1.1
Accept: acunetix/wvs
Range: bytes=0-99999
Connection: keep-alive
Cookie: __cfduid=d49d060cf82d9f3d08d666cfbffb709ce1558927586;bdshare_firstime=1558927572005;captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
</code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_2"><b>
        
        Web Server
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td></td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_users/theme/default/include HTTP/1.1
Accept: acunetix/wvs
Range: bytes=0-99999
Connection: keep-alive
Cookie: __cfduid=d3f5d33b183b3b3f53002811e82d04ee81558928503;bdshare_firstime=1558927572005;captcha_1011327024=2496c699565832d5cc83e1aa7d6b0fc3;captcha_1082452901=1bbf21e1fbc209e54b5032db60d0c398;captcha_1103369702=b420844c9e566bbedd307911c65e0f54;captcha_1104051602=2807aa6a40ed4781c960c4221cec74c2;captcha_1116892633=4d9977de0184b5f7eb1f216b20d05faa;captcha_1131309426=ffbe7ccc7e7d2cfe2a07461102c66209;captcha_115220709=7fc075f08ff39292959bdca0531c449f;captcha_1186595569=74bce5df33d83a7f28f8c74098a297fa;captcha_1210086391=1ed7cede3082e44e481794118a8c8621;captcha_1217504333=a67b1a6876d2dacbf16b4edebc0158cb;captcha_1234540984=ae479f4f0335c494c12ad03b66485e1f;captcha_1241489002=bf5c22371111cad4c5edfd38ee099a97;captcha_12518970=b874118d1f1603bb994e5c2705d05dc2;captcha_127078804=b5fc2287b28798f0019f6502e284ed20;captcha_1279390267=f82fa5ed3eae2805cc802fe42d05abff;captcha_1334070963=3ace49417756dcdbb351596bf69f2bd9;captcha_1336931493=a00bec469789bba98d0a72c934d15bcb;captcha_1355328901=3d376dd2b77b100456992aea595ca289;captcha_1379791612=0af57508e89532c95a73ad2215dee389;captcha_1413759057=0ef904133399f68478ff3c7c7065a200;captcha_1429911420=268deaf6494767332184f862b2adb89f;captcha_1434836030=6265d6d9e1c6721d20756684eb625be0;captcha_1440250097=b2866ac1f51e3a01e40bd506aac20319;captcha_144192806=9a214881f9c12c573c67fe02d073b873;captcha_1464587709=d2fd83b74b50b273812ec822715caa72;captcha_1475160777=257937900133e803f2f4102579435cbb;captcha_1529040715=105cc8c68cba944f51af2f4bc25c2a22;captcha_1530337627=5948a670560829c08185bafc70d34d59;captcha_1531356072=c2187bab3c4c7f3dc7b38b6f7ca692b3;captcha_1532558294=3543e8165baab4193a258076f3b01cce;captcha_154661706=ad0b23353aab6d332aadf8532d96da92;captcha_155308162=6332ad6cf17b5e26d12059928b692167;captcha_1592048086=1a4935542fe7e71f4dbb7a2198035942;captcha_161498738=fa660dc78ec7633ea8421434a11ddfa4;captcha_1665876433=0c16a25c70845435309febffd051d439;captcha_1676784899=6f3b08bc812234ecc43fee3d55892970;captcha_1679807654=1f30d5d9ceb5424d3908808c895f2d5e;captcha_1707954924=86ceaa94535999455986cdba9871e89e;captcha_1730938613=d033672c065e435247a57cf81ba08c35;captcha_175914233=955ba9ca649adc65f50e7ca255b3b5c9;captcha_1817530600=6b5aa5b7d362f4b4750d8474ea6d5ec5;captcha_1817815486=49bd633f7b137da3de9bb1f69109d992;captcha_1860418669=6c203a04cacb3ed230f462f0d494c3fa;captcha_1874549362=7f38f230255fb62f397c4fcdc23c5413;captcha_1939670967=dab8fe8121a452ecfe62c3dd4e826828;captcha_2052025707=6e29b2730efff5c4156677aa71c8346b;captcha_2066882207=4069a67f6601c29dd7a95e91c4511b57;captcha_2067703337=497c546743475ba81285a4b9ac295e93;captcha_2111607095=9347d554686643cbb703c0a600d94914;captcha_2130801571=5a00eeacef931dda509c7abc8b23043a;captcha_2136135556=5359e3cccdf96be79d7efb21a397b7d3;captcha_2141595092=c6634c3228e3ac0ef15af916f55d13fa;captcha_2142555102=42ddd33c9398129511df8f979af82bfa;captcha_2159971306=89a1c17d51f176b582ba6ee40ae4bbec;captcha_2173180877=77e1c78fe7f38a488cb22c808b76ef39;captcha_2183497084=aa388960432f067b2371ebbb60ff7ab4;captcha_2195207972=7f5f127be8f7ba6160c0b2ef77a4acf9;captcha_2205365612=5017030db991197fc2df1a621d8a86d8;captcha_2207834062=a1ab11b7902bd41d9c37c73117126a8a;captcha_2232817345=ad86aa91e8db3fa85f8aebb340ef2567;captcha_2253173837=d28dd19767a88868e86f66065a746340;captcha_2263834180=70f212dfa26f2fcd41ea80ca9e39fba3;captcha_2280483596=464174c9464b4ae2ac0fd8fb6fe92fc6;captcha_2289070005=ee87a7f9ace9fbe27b5d49cf24fef00b;captcha_2292104284=6e5bb7a5f27ec126d2833f2345891390;captcha_2300978108=3fdc5669216c02f94231f2db4caa7cb8;captcha_2331271195=692437fefa76d01cc821485d8f1c1624;captcha_2353490639=4a4192527a732126b68f37589c737492;captcha_2364688447=714ccaef84dc812591f6a306443c71c0;captcha_2365993734=f5d30c957ea4aca2d4db3528dd0ef2b8;captcha_2376336438=57f4cafb8c62be1891dc91ee873ece11;captcha_238251077=02cf65cb30755e5cd5d7f4161df5bb15;captcha_2403188839=9a49aeefd123570adfe34589d1a070ff;captcha_2409610939=921bbbe5690b5be9ee68477f41b93bb9;captcha_2441863277=c1695525ffbd9913971259a9b3cfb564;captcha_2452765270=5232cf7b74ceff0c3bca9fc5b3999c93;captcha_2529921305=560f75d38fd5b77f315c65b4fdabda83;captcha_2613019998=5fb75049fc77d228340df6425b2ea915;captcha_2617799305=a608808b9eaef4e3a7da2b04cdb9ff43;captcha_2620064255=eeaae5c43ae324d077529ba1b6e95657;captcha_2634655296=f01a4e5fb4f0cac913468c562524c230;captcha_263944924=bff296b8cf49d98ad60131fce50443b2;captcha_2711960060=6ac2682c3cccacede14e5468ddb314ff;captcha_2726223322=94f5d77932e133d0dfb01be0d470920a;captcha_273250838=3f31b6ae3c897f1493354c2fbc2af06a;captcha_2778196471=3e405b486d3b67b3ab75a9caf7148901;captcha_2796421357=c6bd389c158871dbee36daf0e656db97;captcha_2857583908=b1ad353464adb020f34080a9b5e50e4d;captcha_2900108913=b71cca225635bafd7ad66d8a0f9210ce;captcha_2901517053=e9cbfb226d0c41b633d75ccbae08f6b9;captcha_2963235947=38bc92c860866d9c4b6e9924a58e9b2b;captcha_3031874652=d8b530ed78c393fd449238cfb10ba3c7;captcha_3049099879=bff839994a68a2f9d6f2d0857d2558a9;captcha_3067096139=067f3e4e391410108cd8ebd66af4c3da;captcha_3085507923=4c9508a1e71c28372e488e2c2a6e5b50;captcha_3108597002=6a4d7439c6e3cec6ed0fc635677903d1;captcha_3124196677=aca28f1cb2ed7244dfd5ac5c8c7b2e02;captcha_319564018=dcfb25b014c2063e959493ee46dcc2ed;captcha_3225910356=6b7afc1f0e339185dee13f4607aa34eb;captcha_324749524=15f69306315570a8811076632014a7d2;captcha_3289293872=feed5d78c267770989f9f4ec85a2aa2f;captcha_3299556771=05042d38e5c37d3d9c13b832c76907df;captcha_3310931585=04f50ba247e2618c29043293867faf21;captcha_3428703844=5fd20c49001a0befa035bb856803e3c0;captcha_3472242410=acf9f70b31d8a7089af3fecc34aa47a5;captcha_3480562853=bd9cb1756b45031e48ca858e2d552953;captcha_348125050=93c7061a48284b109f5f82ee85c8ffdd;captcha_348764843=6b5bd1d5b3715a80f808845f504a51b9;captcha_3517715818=3f37d1c126c03cb324f6b7ade388070a;captcha_3557069902=c09aabdb0077026406382dae4ccf2b12;captcha_3565863737=dfb3f94b042283e281a3951eb97cf347;captcha_3569370549=b26e61e11df1ec8955447afc5cc9855c;captcha_3576105621=45a4318ad2ba01188e60c1f079a48f1c;captcha_3682208558=b26d21c949a8612db5a4d2610d3cb6c6;captcha_3688958368=bedc235f2f763260e68a3221b2483004;captcha_371985089=4ad3ae8f969601f8c915b7500719420a;captcha_3740378515=9ea3ba6be5895ae218b90904306b8913;captcha_376822226=c7c51d38a779dba64ec77e5481bc4c9d;captcha_3779738114=b8b619c5f7f27d51daddbbe4747fbe5f;captcha_3843063205=1abd4b894db3349de273e4f11847588e;captcha_3907972154=ad0e5debb2b8b62f471ee91e7c8c3a75;captcha_3907972451=768278b1384172800643192279d8eada;captcha_4036641499=80d952cdddb2f9af03ec82f07f96cbf3;captcha_4058747297=25504072dd7ca30b0b7962a3e78657ad;captcha_4060584242=9d30ced208689910b5b1c82861dbe348;captcha_4096029475=a70dd5dac23d63b3088af9cf095bb726;captcha_4096097755=ec62b0e78e15626517a81083f7b6b84d;captcha_4106793126=065c3534275a886b5bcee946389ac078;captcha_4166959769=765c70942736402729cd8a3cff1574b4;captcha_4169293783=31bfaf0ebd5d7b4da2cfcff40d11f4df;captcha_4247816259=9f8814ab2b4eeadd5068bae8db468656;captcha_4253722906=f888e2917739c59b0457981220e32b91;captcha_42904443=53bde396737553a2dd5d7fbe7dc1129b;captcha_520689506=74d380e5a31cbc1481dcef4e13fe5b9f;captcha_576703527=1ca81a72f3322bf49bd2d22b167c423c;captcha_606585252=8152d685f315608365a6699cbb266345;captcha_642499349=82891dcc174513470df360981a3816aa;captcha_668782712=ab986a19aab986767545b0d60ebac11e;captcha_697141547=850b1e27696627ba56eeb04c8e95225d;captcha_720627141=f15149a7f4643caa1fbcb4cb079c66f4;captcha_75606263=4617b9b5705866b60dc1f15aa524c6b8;captcha_835960449=a0e6e5203dd6f5ad088211cd93077e19;captcha_856651966=6be1b1aed066243164de9ab7d8d51e10;captcha_857026554=5a8328e484f084c3f4af82b281a48f96;captcha_900836064=a7d237788d834b8c762bcc091951e72a;captcha_910397298=5948220011f3e0755f5abacfd8ed053e
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
</code></td></tr>
</table>











    <h3 class="ax-section-title ax-section-title--big">
    
        <img src="">
    
    Content Security Policy (CSP) not implemented
</h3>

<table border="1" class="ax-alert-info">
    <tr>
        <td>
            Severity
        </td>
        <td class="ax-alert-info__severity_value">
            Informational
        </td>
    </tr>
    <tr>
        <td>
            Reported by module
        </td>
        <td>
            /httpdata/CSP_not_implemented.js
        </td>
    </tr>
</table>

<h4 class="ax-section-title">
    Description
</h4>

<p>
    
    Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. <br/><br/>

Content Security Policy (CSP) can be implemented by adding a <strong>Content-Security-Policy</strong> header. The value of this header is a string containing the policy directives describing your Content Security Policy. To implement CSP, you should define lists of allowed origins for the all of the types of resources that your site utilizes. For example, if you have a simple site that needs to load scripts, stylesheets, and images hosted locally, as well as from the jQuery library from their CDN, the CSP header could look like the following:

<pre><code>
Content-Security-Policy:
    default-src 'self';
    script-src 'self' https://code.jquery.com;
</code></pre>

<br/><br/>

It was detected that your web application doesn't implement Content Security Policy (CSP) as the CSP header is missing from the response. It's recommended to implement Content Security Policy (CSP) into your web application.
    
</p>

<h4 class="ax-section-title">
    Impact
</h4>

<p>
    CSP can be used to prevent and/or mitigate attacks that involve content/code injection, such as cross-site scripting/XSS attacks, attacks that require embedding a malicious resource, attacks that involve malicious use of iframes, such as clickjacking attacks, and others. 
</p>

<h4 class="ax-section-title">
    Recommendation
</h4>

<p>
    It's recommended to implement Content Security Policy (CSP) into your web application. Configuring Content Security Policy involves adding the <strong>Content-Security-Policy</strong> HTTP header to a web page and giving it values to control resources the user agent is allowed to load for that page. 
</p>


<h4 class="ax-section-title">
    References
</h4>

<p>
    
    <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy (CSP)</a><br>
    
    <a href="https://hacks.mozilla.org/2016/02/implementing-content-security-policy/">Implementing Content Security Policy</a><br>
    
</p>


<h4 class="ax-section-title">
    Affected items
</h4>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_2"><b>
        
        Web Server
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td></td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET / HTTP/1.1
Cookie: __cfduid=d589445540f537ce52b017dec798734701558927323
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive
</code></td></tr>
</table>











    <h3 class="ax-section-title ax-section-title--big">
    
        <img src="">
    
    Email address found
</h3>

<table border="1" class="ax-alert-info">
    <tr>
        <td>
            Severity
        </td>
        <td class="ax-alert-info__severity_value">
            Informational
        </td>
    </tr>
    <tr>
        <td>
            Reported by module
        </td>
        <td>
            /Scripts/PerFolder/Invalid_Page_Text_Search.script
        </td>
    </tr>
</table>

<h4 class="ax-section-title">
    Description
</h4>

<p>
    
    One or more email addresses have been found on this page. The majority of spam comes from email addresses harvested off the internet. The spam-bots (also known as email harvesters and email extractors) are programs that scour the internet looking for email addresses on any website they come across.  Spambot programs look for strings like myname@mydomain.com and then record any addresses found.
    
</p>

<h4 class="ax-section-title">
    Impact
</h4>

<p>
    Email addresses posted on Web sites may attract spam.
</p>

<h4 class="ax-section-title">
    Recommendation
</h4>

<p>
    Check references for details on how to solve this problem.
</p>


<h4 class="ax-section-title">
    References
</h4>

<p>
    
    <a href="https://en.wikipedia.org/wiki/Anti-spam_techniques">Anti-spam techniques</a><br>
    
</p>


<h4 class="ax-section-title">
    Affected items
</h4>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_2"><b>
        
        Web Server
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td>Pattern found: <pre><span class="bb-blue">mat_wu@163.com
</span></pre> </td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /feed.php/pd3eRCvneI.jsp HTTP/1.1
Connection: keep-alive
Cookie: __cfduid=d43ae5e468ec3f365b9d50b98456d83f81558927330
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
</code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_466"><b>
        
        /feed.php
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td>Pattern found: <pre><span class="bb-blue">mat_wu@163.com
</span></pre> </td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line"></code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_2705"><b>
        
        /zb_system/css/admin.css
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td>Pattern found: <pre><span class="bb-blue">u2lei@yahoo.com.cn
xinxr@msn.com
</span></pre> </td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line"></code></td></tr>
</table>











    <h3 class="ax-section-title ax-section-title--big">
    
        <img src="">
    
    Password type input with auto-complete enabled
</h3>

<table border="1" class="ax-alert-info">
    <tr>
        <td>
            Severity
        </td>
        <td class="ax-alert-info__severity_value">
            Informational
        </td>
    </tr>
    <tr>
        <td>
            Reported by module
        </td>
        <td>
            /Crawler/12-Crawler_Password_Input_Autocomplete.js
        </td>
    </tr>
</table>

<h4 class="ax-section-title">
    Description
</h4>

<p>
    
    When a new name and password is entered in a form and the form is submitted, the browser asks if the password should be saved.Thereafter when the form is displayed, the name and password are filled in automatically or are completed as the name is entered. An attacker with local access could obtain the cleartext password from the browser cache.
    
</p>

<h4 class="ax-section-title">
    Impact
</h4>

<p>
    Possible sensitive information disclosure.
</p>

<h4 class="ax-section-title">
    Recommendation
</h4>

<p>
    The password auto-complete should be disabled in sensitive applications. <br/>To disable auto-complete, you may use a code similar to: <pre><code>&lt;INPUT TYPE=&quot;password&quot; AUTOCOMPLETE=&quot;off&quot;&gt;</code></pre>
</p>



<h4 class="ax-section-title">
    Affected items
</h4>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_2"><b>
        
        Web Server
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td></td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /zb_system/login.php HTTP/1.1
Cookie: __cfduid=d49d060cf82d9f3d08d666cfbffb709ce1558927586;bdshare_firstime=1558927572005;captcha_3688958368=58301bc0f6a8f39ed1dcd9484ef2131c
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive
</code></td></tr>
</table>











    <h3 class="ax-section-title ax-section-title--big">
    
        <img src="">
    
    Possible internal IP address disclosure
</h3>

<table border="1" class="ax-alert-info">
    <tr>
        <td>
            Severity
        </td>
        <td class="ax-alert-info__severity_value">
            Informational
        </td>
    </tr>
    <tr>
        <td>
            Reported by module
        </td>
        <td>
            /Scripts/PerFolder/Invalid_Page_Text_Search.script
        </td>
    </tr>
</table>

<h4 class="ax-section-title">
    Description
</h4>

<p>
    
    A string matching an internal IPv4 address was found on this page. This may disclose information about the IP addressing scheme of the internal network. This information can be used to conduct further attacks.<br/><br/><div class="bb-coolbox"><span class="bb-dark">This alert may be a false positive, manual confirmation is required.</span></div>
    
</p>

<h4 class="ax-section-title">
    Impact
</h4>

<p>
    Possible sensitive information disclosure.
</p>

<h4 class="ax-section-title">
    Recommendation
</h4>

<p>
    Prevent this information from being displayed to the user.
</p>



<h4 class="ax-section-title">
    Affected items
</h4>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_2"><b>
        
        Web Server
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td>Pattern found: <pre><span class="bb-blue">192.168.2.168</span></pre> </td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line">GET /feed.php/pd3eRCvneI.jsp HTTP/1.1
Connection: keep-alive
Cookie: __cfduid=d43ae5e468ec3f365b9d50b98456d83f81558927330
Accept: */*
Accept-Encoding: gzip,deflate
Host: www.vbboy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
</code></td></tr>
</table>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_466"><b>
        
        /feed.php
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td>Pattern found: <pre><span class="bb-blue">192.168.2.168</span></pre> </td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line"></code></td></tr>
</table>











    <h3 class="ax-section-title ax-section-title--big">
    
        <img src="">
    
    Possible server path disclosure (Unix)
</h3>

<table border="1" class="ax-alert-info">
    <tr>
        <td>
            Severity
        </td>
        <td class="ax-alert-info__severity_value">
            Informational
        </td>
    </tr>
    <tr>
        <td>
            Reported by module
        </td>
        <td>
            /Scripts/PerFile/Text_Search_File.script
        </td>
    </tr>
</table>

<h4 class="ax-section-title">
    Description
</h4>

<p>
    
    One or more fully qualified path names were found on this page. From this information the attacker may learn the file system structure from the web server. This information can be used to conduct further attacks.<br/><br/><div class="bb-coolbox"><span class="bb-dark">This alert may be a false positive, manual confirmation is required.</span></div>
    
</p>

<h4 class="ax-section-title">
    Impact
</h4>

<p>
    Possible sensitive information disclosure.
</p>

<h4 class="ax-section-title">
    Recommendation
</h4>

<p>
    Prevent this information from being displayed to the user.
</p>


<h4 class="ax-section-title">
    References
</h4>

<p>
    
    <a href="https://www.owasp.org/index.php/Full_Path_Disclosure">Full Path Disclosure</a><br>
    
</p>


<h4 class="ax-section-title">
    Affected items
</h4>











    <table border="1" style="table-layout: fixed">
    <tr><td class="ax-affected-item__highlight--dark" id="link_id_466"><b>
        
        /feed.php
        
    </b></td></tr>
    
    <tr><td class="ax-affected-item__highlight--light">Details</td></tr>
    <tr><td>Pattern found: <pre><span class="bb-blue">/usr/share/applications/</span></pre> </td></tr>
    <tr><td class="ax-affected-item__highlight--light">Request headers</td></tr>
    <tr><td><code style="white-space: pre-line"></code></td></tr>
</table>











    <h3 class="page-break ax-section-title">
    Scanned items (coverage report)
</h3>












    
    <font color="red">http://www.vbboy.com/</font><br>













    
    <font color="green">http://www.vbboy.com/cdn-cgi/</font><br>













    
    <font color="green">http://www.vbboy.com/cdn-cgi/images/</font><br>













    
    <font color="green">http://www.vbboy.com/cdn-cgi/l/</font><br>













    
    <font color="green">http://www.vbboy.com/cdn-cgi/l/email-protection</font><br>













    
    <font color="green">http://www.vbboy.com/cdn-cgi/scripts/</font><br>













    
    <font color="green">http://www.vbboy.com/cdn-cgi/scripts/5c5dd728/</font><br>













    
    <font color="green">http://www.vbboy.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/</font><br>













    
    <font color="green">http://www.vbboy.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js</font><br>













    
    <font color="green">http://www.vbboy.com/cdn-cgi/scripts/cf.common.js</font><br>













    
    <font color="green">http://www.vbboy.com/cdn-cgi/scripts/zepto.min.js</font><br>













    
    <font color="green">http://www.vbboy.com/cdn-cgi/styles/</font><br>













    
    <font color="green">http://www.vbboy.com/cdn-cgi/styles/cf.errors.css</font><br>













    
    <font color="green">http://www.vbboy.com/cdn-cgi/styles/fonts/</font><br>













    
    <font color="red">http://www.vbboy.com/feed.php</font><br>













    
    <font color="red">http://www.vbboy.com/index.php</font><br>













    
    <font color="green">http://www.vbboy.com/zb_system/</font><br>













    
    <font color="red">http://www.vbboy.com/zb_system/admin/</font><br>













    
    <font color="red">http://www.vbboy.com/zb_system/cmd.php</font><br>













    
    <font color="green">http://www.vbboy.com/zb_system/css/</font><br>













    
    <font color="red">http://www.vbboy.com/zb_system/css/admin.css</font><br>













    
    <font color="green">http://www.vbboy.com/zb_system/image/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_system/image/admin/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_system/image/common/</font><br>













    
    <font color="red">http://www.vbboy.com/zb_system/login.php</font><br>













    
    <font color="green">http://www.vbboy.com/zb_system/script/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_system/script/c_admin_js_add.php</font><br>













    
    <font color="green">http://www.vbboy.com/zb_system/script/c_html_js_add.php</font><br>













    
    <font color="green">http://www.vbboy.com/zb_system/script/c_validcode.php</font><br>













    
    <font color="red">http://www.vbboy.com/zb_system/script/common.js</font><br>













    
    <font color="green">http://www.vbboy.com/zb_system/script/md5.js</font><br>













    
    <font color="green">http://www.vbboy.com/zb_system/xml-rpc/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_system/xml-rpc/wlwmanifest.xml</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/cache/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/data/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/logs/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/plugin/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/plugin/UEditor/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/plugin/UEditor/php/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/plugin/UEditor/themes/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/plugin/UEditor/themes/default/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/plugin/UEditor/themes/default/images/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/plugin/UEditor/third-party/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/plugin/UEditor/third-party/prism/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/plugin/UEditor/third-party/prism/prism.css</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/plugin/UEditor/third-party/prism/prism.js</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/theme/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/theme/default/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/theme/default/include/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/theme/default/script/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/theme/fengyan/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/theme/fengyan/style/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/theme/fengyan/style/font-awesome-4.3.0/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/theme/fengyan/style/font-awesome-4.3.0/css/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/theme/fengyan/style/font-awesome-4.3.0/css/font-awesome.min.css</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/theme/fengyan/style/font-awesome-4.3.0/fonts/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/theme/fengyan/style/font-awesome-4.3.0/fonts/fontawesome-webfont.woff2</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/theme/fengyan/style/iconfont/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/theme/fengyan/style/images/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/theme/fengyan/style/img/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/theme/fengyan/style/js/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/theme/fengyan/style/js/com.js</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/theme/fengyan/style/style.css</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/upload/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/upload/2017/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/upload/2017/12/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/upload/2018/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/upload/2018/03/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/upload/2018/12/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/upload/2019/</font><br>













    
    <font color="green">http://www.vbboy.com/zb_users/upload/2019/02/</font><br>













    </body>
</html>
